Hello,

I am trying to write a crypto policy modifier to disable some kex algorithms in OpenSSH (not the one in the example, but the issue is the same).

Reading /usr/share/crypto-policies/python/policygenerators/openssh.py, I find mappings like 'ECDHE-SECP521R1-SHA2-512': 'ecdh-sha2-nistp521', so I tried to write in a pmod key_exchange = -ECDHE-SECP521R1-SHA2-512

When I try to load it with update-crypto-policies, it fails stating Bad value of policy property `key_exchange`: `ECDHE-SECP521R1-SHA2-512`, and in fact If I check /usr/share/crypto-policies/python/cryptopolicies/alg_lists.py, ECDHE-SECP521R1-SHA2-512 is not defined there.

So, how can I disable in OpenSSH kex/algorithms/etc that are defined in /usr/share/crypto-policies/python/policygenerators/openssh.py but not in /usr/share/crypto-policies/python/cryptopolicies/alg_lists.py?

Best regards

Francesco Di Nucci